On this page

Self-signed server certificate

Use Gloo Mesh Enterprise self-signed certificates for the root CA and use these credentials to derive the server TLS certificate for the Gloo management server.

You can choose to use self-signed certificates for the root CA and use these credentials to derive the server TLS certificate for the Gloo management server. The Gloo management server uses this certificate to prove its identity to Gloo agents and to encrypt the traffic between the management server and the agent.

For more information about this option, see Self-signed server TLS certificate.

Single cluster

Follow the Install with Helm guide.

In your Helm values file, add the following values.

  
glooMgmtServer:
  serviceType: ClusterIP
  registerCluster: true
  enabled: true
  extraEnvs: 
    RELAY_TOKEN: 
      value: "My token"
    RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION: 
      value: "true" 
glooAgent:
  enabled: true
  relay:
    serverAddress: gloo-mesh-mgmt-server.gloo-mesh:9900
  extraEnvs:
    RELAY_TOKEN: 
      value: "My token"
    RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION: 
      value: "true"

Helm value	Description
`glooMgmtServer.extraEnvs.RELAY_TOKEN`	Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Enterprise and set `RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION` to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the `relay-identity-token-secret` Kubernetes secret. You must set the same value in `glooAgent.extraEnvs.RELAY_TOKEN.value` to allow the Gloo agent to connect to the Gloo management server.
`glooMgmtServer.extraEnvs.` `RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION`	Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent.
`glooAgent.extraEnvs.RELAY_TOKEN`	Use the same value that you set in `glooMgmtServer.extraEnvs.RELAY_TOKEN`.
`glooAgent.extraEnvs.` `RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION`	Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.

Multicluster

Follow the Install with Helm guide to set up Gloo Mesh Enterprise.

In your Helm values file for the management server, add the following values.

  
glooMgmtServer:
  enabled: true
  extraEnvs:
    RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION:
      value: "true"  
    RELAY_TOKEN: 
      value: "My token"

Helm value Description

RELAY_TOKEN Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Enterprise and set RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the relay-identity-token-secret Kubernetes secret on the management cluster. You must set the same value in glooAgent.extraEnvs.RELAY_TOKEN.value when installing Gloo Mesh Enterprise in a workload cluster to allow Gloo agents to connect to the Gloo management server.

RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent.

Helm value	Description
`RELAY_TOKEN`	Specify the relay token that the Gloo management server and agent use to establish initial trust. When you install Gloo Mesh Enterprise and set `RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION` to true, the connection between the Gloo management server and agent is automatically secured by using simple, server-side TLS. In a simple TLS setup, only the management server presents a certificate to authenticate its identity. The identity of the agent is not verified. To ensure that only trusted agents connect to the management server, the relay identity token is used. The relay identity token can be any string value and is stored in the `relay-identity-token-secret` Kubernetes secret on the management cluster. You must set the same value in `glooAgent.extraEnvs.RELAY_TOKEN.value` when installing Gloo Mesh Enterprise in a workload cluster to allow Gloo agents to connect to the Gloo management server.
`RELAY_DISABLE_CLIENT_CERTIFICATE_AUTHENTICATION`	Set this value to true to not require a client TLS certificate from the Gloo agent to prove the agent’s identity and establish the connection with the management server. This setting is required when you want to use simple TLS to secure the connection between the Gloo management server and agent.

In your Helm values file for the workload cluster, add the following values.

  
glooAgent:
  enabled: true
  extraEnvs:
    RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION:
      value: "true"  
    RELAY_TOKEN: 
      value: "My token"
telemetryCollector:
  enabled: true
telemetryCollectorCustomization:
  skipVerify: true

Helm value	Description
`RELAY_TOKEN`	The relay token to establish initial trust between the Gloo management server and the agent. The relay token is saved in memory on the Gloo agent. You must set the same value that you set in `glooMgmtServer.extraEnvs.RELAY_TOKEN.value` when you installed the Gloo Mesh Enterprise management plane to allow Gloo agents to connect to the Gloo management server.
`RELAY_DISABLE_SERVER_CERTIFICATE_VALIDATION`	Set to true to skip validating the server TLS certificate that the Gloo management server presents. This setting is required to configure the relay connection for TLS.
`telemetryCollectorCustomization.skipVerify`	Set to true to skip validation of the server certificate that the Gloo telemetry gateway presents. By default, the Gloo telemetry gateway uses the same TLS certificates that the Gloo management server uses for the relay connection. If you configure the relay connection for TLS, you must set `skipVerify` to true on the telemetry collector agent.

Self-signed server certificate

Single cluster link

Multicluster link

Single cluster

Multicluster